ClawHub

OpenClaw Security Auditor

v1.0.0

Audit OpenClaw configuration for security risks and generate a remediation report using the user's configured LLM.

1· 2.2k·15 current·16 all-time
byMuhammad Waleed@muhammad-waleed381
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description claim a local OpenClaw configuration audit. The declared requirements (cat, jq) and the instructions (read ~/.openclaw/openclaw.json, run checks, produce a report) are proportional and expected for that purpose.
Instruction Scope
The SKILL.md confines activity to reading a single config file, extracting metadata, and sending a redacted findings object to the user's configured LLM through the OpenClaw agent flow. This is coherent, but the SKILL.md does not show the exact redaction commands or jq filters used—so you must trust the skill to actually remove secrets before sending. Also, 'user's configured LLM' may be a remote service (e.g., OpenAI); validate whether findings (even metadata) are acceptable to send to that endpoint.
Install Mechanism
No install spec or code files are present (instruction-only). That minimizes disk persistence and attack surface; requirements are limited to common CLI tools (cat, jq).
Credentials
The skill requests no environment variables or credentials, which is appropriate for a local config-only auditor. However, the SKILL.md's promise to 'strip all secrets' is a behavioural assertion not enforced by declared requirements—verify redaction behavior before sending data to any remote model.
Persistence & Privilege
always is false and there is no install performing background persistence. The skill invokes the OpenClaw agent to analyze findings (normal). It does not request system-wide config changes or other skills' credentials.
Assessment
This skill appears coherent for auditing OpenClaw configs, but take simple precautions before running it on production data: 1) Inspect the SKILL.md and any jq/redaction examples (or run it against a copy of your config with secrets replaced) to confirm secrets are removed. 2) If your OpenClaw LLM is a remote cloud provider, consider whether metadata about misconfigurations is acceptable to transmit — run the audit locally against a sanitized copy first. 3) Test on a non-production or redacted config to verify output and redaction behavior. 4) If you need stronger guarantees, request or supply explicit redaction filters (so the skill never transmits token values) or use a local-only LLM before running against sensitive configs.

Like a lobster shell, security has layers — review code before you run it.

latestvk979wpe8egmhdfb00ypbxxnvr980bc4j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS · Linux · Windows
Binscat, jq

Comments